AUTHENTICATED_USER is not reliable! [Was: [Zope] become user (su inside Zope) - pretend to be another user]

Brad Clements bkc at
Fri Oct 24 12:58:15 EDT 2003

On 24 Oct 2003 at 10:35, Stefan H. Holek wrote:

> Why is everybody so obsessed with AUTHENTICATED_USER? This variable is not
> suitable for anything deserving the name "security". It is NOT SAFE to
> assume that it will contain anything useful.

Thanks for bringing this up.

I've changed my code. I had thought that AUTHENTICATED_USER was "a special 
attribute of REQUEST".

Brad Clements,                bkc at   (315)268-1000                          (315)268-9812 Fax                   AOL-IM: BKClements

More information about the Zope mailing list